feat(auth): add BFF Token Handler auth routes (Phase 3)#215
Merged
Conversation
Wires GET /auth/login, GET /auth/callback, GET /auth/session, and POST /auth/logout on app-api against the confidential Cognito BFF client. Routes are dormant — no SPA consumer until Phase 5. CDK: adds BFF_AUTH_CALLBACK_URL + BFF_POST_LOGIN_REDIRECT_URL to the app-api task env, mirroring the URLs Phase 1 already registered with the BFF Cognito client. Refactors: SessionCache exposes a process-wide get_default_cache() singleton so logout invalidates the same instance the refresh middleware seeds; secret resolution lifted into resolve_bff_client_secret() so refresh + token-exchange share one cached secret per process. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
4 tasks
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Phil Merrell <philmerrell@boisestate.edu>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Phil Merrell <philmerrell@boisestate.edu>
The Phase 3 BFF callback is a public OAuth landing — Cognito redirects
the browser there with `?code=...&state=...`, no Bearer involved.
Without this entry the sweep tries to assert unauthenticated /auth/callback
returns 401, but the route returns 503 ("BFF auth flow is not configured")
in CI because BFF env vars aren't set there. Same treatment as the
existing `/oauth/callback`.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 3 of the BFF Token Handler migration. Adds the four browser-facing auth routes that the SPA will adopt at cutover (Phase 6), all dormant today since no SPA caller exists yet.
GET /auth/login— initiates Cognito OAuth code flow with PKCE state, redirects to Hosted UI.GET /auth/callback— exchanges authorization code, persists a session row, writes sealed__Host-bff_session+__Host-bff_csrfcookies, redirects to the SPA.GET /auth/session— returns the current user + CSRF token; the SPA calls this on bootstrap to confirm "am I logged in?"POST /auth/logout— drops the session row, clears both cookies. Returns 204 — no Cognito/logoutredirect; SPA owns post-logout UX. CSRF-exempt via_EXEMPT_PATHS.Also a small Phase 1.5 CDK addition:
BFF_AUTH_CALLBACK_URLandBFF_POST_LOGIN_REDIRECT_URLenv vars on the app-api task, mirroring the URLs Phase 1 already pinned into the BFF Cognito client'scallbackUrls/logoutUrls.Refactors that other phases lean on
SessionCache.get_default_cache()is now a process-wide singleton, so logout invalidates the same in-memory entry the refresh middleware seeds.resolve_bff_client_secret()is a module-level cache shared by both the refresh path and the new token-exchange path — one Secrets Manager call per process.Why dormant
Phase 3 ships the routes but no SPA code calls them yet. Phase 5 will add the frontend
SessionService; Phase 6 is the per-environment cutover that finally makes these the user-facing auth flow. Hitting/auth/loginend-to-end works today as long as Phase 1 env vars are set — useful for manual smoke testing.Test plan
tests/apis/app_api/auth/bff/{test_login,test_callback,test_session,test_logout}.pytests/architecture/test_import_boundaries.py)/auth/loginagainst a deployed BFF Cognito client, verify cookie redirect lands on the post-login URL🤖 Generated with Claude Code